formbook | ed5c55e1ce4b681af404a573caf768de0a8c2dad822687a16333d9ba23b68c97

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac460b302c16f19eeec5b41c280b9cf10dbbf3f482f507db645533e3d0770cd2.xll
Size

1.1MB
MD5

ac661f69d93e92d2e273093a354c4278
SHA1

1815742d1bcea898864642844d273a7df1e82ec0
SHA256

ac460b302c16f19eeec5b41c280b9cf10dbbf3f482f507db645533e3d0770cd2
SHA512

a421c81251cbc44a387eecde547b6987b5e677471ac78d1622379820aa9b67e47309a29272eddf88a645d1468c50a41ffe4274d888466f97cf067970678abf11
SSDEEP

24576:Fz7GHAzH7jX1mFxOf/yixzM8dTOzkrIcftfhGKc:FzCHIIFxOHyixgKOzkff

Score

10^/10

formbook qcr9 discovery rat spyware stealer trojan

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

formbook

Campaign

qcr9

Decoy

Zk2VuT0awFchUJhLp4MS5oLSBcwU

NMvejbmdPn1uoAC9

IRUGwmzjqclXNHPmXWaSNm8w5fFOQMo=

/o6UUIZ9O14oYmy4

oRJSLVVEUn4N

7hEdy1Fa4EIRUqd4y2myftij4w==

lbS2c/H3t89F3+erG4s=

dUmEPGSnWX4MB0dJL4U=

aK0ILCtJRxsoYmy4

KnfB6uhoMLiQ8zqh

A4fvFjER+VQoYmy4

LAtVhC+AM1rl7W1EHjbJdf9484RHgA==

N22bvcNIAg3wzTav

SXCrx+C1cQnN+TQzYotwBy4=

ZfsOtdXHnaBBjA==

NqrplSV6IXd7WNg=

y2FVFTq1L2D86i9IWZw=

tgVWf4TdSXQJ7i9IWZw=

QWxmAlr5okA=

jT92xFr5okA=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	oaiCEUK.exe

Executes dropped EXE 3 IoCs

pid	Process
3812	oaiCEUK.exe
4608	oaiCEUK.exe
2192	oaiCEUK.exe

Loads dropped DLL 2 IoCs

pid	Process
1860	EXCEL.EXE
1860	EXCEL.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3812 set thread context of 2192	3812	oaiCEUK.exe	104
PID 2192 set thread context of 3584	2192	oaiCEUK.exe	56
PID 4364 set thread context of 3584	4364	mstsc.exe	56

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oaiCEUK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstsc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1860	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
3812	oaiCEUK.exe
3812	oaiCEUK.exe
3812	oaiCEUK.exe
3812	oaiCEUK.exe
3812	oaiCEUK.exe
3812	oaiCEUK.exe
3812	oaiCEUK.exe
3812	oaiCEUK.exe
3812	oaiCEUK.exe
2192	oaiCEUK.exe
2192	oaiCEUK.exe
2192	oaiCEUK.exe
2192	oaiCEUK.exe
2192	oaiCEUK.exe
2192	oaiCEUK.exe
2192	oaiCEUK.exe
2192	oaiCEUK.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2192	oaiCEUK.exe
2192	oaiCEUK.exe
2192	oaiCEUK.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe
4364	mstsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	oaiCEUK.exe
Token: SeDebugPrivilege	2192	oaiCEUK.exe
Token: SeDebugPrivilege	4364	mstsc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1860	EXCEL.EXE
1860	EXCEL.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE
1860	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 3812	1860	EXCEL.EXE	87
PID 1860 wrote to memory of 3812	1860	EXCEL.EXE	87
PID 1860 wrote to memory of 3812	1860	EXCEL.EXE	87
PID 3812 wrote to memory of 4608	3812	oaiCEUK.exe	103
PID 3812 wrote to memory of 4608	3812	oaiCEUK.exe	103
PID 3812 wrote to memory of 4608	3812	oaiCEUK.exe	103
PID 3812 wrote to memory of 2192	3812	oaiCEUK.exe	104
PID 3812 wrote to memory of 2192	3812	oaiCEUK.exe	104
PID 3812 wrote to memory of 2192	3812	oaiCEUK.exe	104
PID 3812 wrote to memory of 2192	3812	oaiCEUK.exe	104
PID 3812 wrote to memory of 2192	3812	oaiCEUK.exe	104
PID 3812 wrote to memory of 2192	3812	oaiCEUK.exe	104
PID 3584 wrote to memory of 4364	3584	Explorer.EXE	109
PID 3584 wrote to memory of 4364	3584	Explorer.EXE	109
PID 3584 wrote to memory of 4364	3584	Explorer.EXE	109
PID 4364 wrote to memory of 448	4364	mstsc.exe	110
PID 4364 wrote to memory of 448	4364	mstsc.exe	110
PID 4364 wrote to memory of 448	4364	mstsc.exe	110

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac460b302c16f19eeec5b41c280b9cf10dbbf3f482f507db645533e3d0770cd2.xll"
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\Temp\oaiCEUK.exe
    "C:\Windows\Temp\oaiCEUK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Windows\Temp\oaiCEUK.exe
      "C:\Windows\Temp\oaiCEUK.exe"
      4⤵
      Executes dropped EXE
      PID:4608
  - - C:\Windows\Temp\oaiCEUK.exe
      "C:\Windows\Temp\oaiCEUK.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2192
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1592
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4876
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4224
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4752
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ac460b302c16f19eeec5b41c280b9cf10dbbf3f482f507db645533e3d0770cd2.xll

Filesize
1.1MB

MD5
ac661f69d93e92d2e273093a354c4278

SHA1
1815742d1bcea898864642844d273a7df1e82ec0

SHA256
ac460b302c16f19eeec5b41c280b9cf10dbbf3f482f507db645533e3d0770cd2

SHA512
a421c81251cbc44a387eecde547b6987b5e677471ac78d1622379820aa9b67e47309a29272eddf88a645d1468c50a41ffe4274d888466f97cf067970678abf11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
668B

MD5
c5eb4fa7eab2b8e11a0ed87cc8dce639

SHA1
84d99f991e619d8fbe880698e9a288b27f5b201a

SHA256
f5253c838e16ae9199beac8867d2422e029dc9bc4355113ffdd194cfa0003cb1

SHA512
0f907105a0765f8e4190736e19a36b5e74f24674f980c4043a4c75cae3702c9dcf5140e1091a3c9a2145231ae8dd71f2ec9da490f80242a00dd1a6ac636d054c

Download Submit
C:\Windows\Temp\oaiCEUK.exe

Filesize
795KB

MD5
8f58f7fa054f2c2713c9828109bec884

SHA1
5e236d6c470a38ee2cc9451f0f99e7ca8c4843e2

SHA256
0d51c8d151234f30cd4463e10bafc77b11436e35133fdaa08de87328d0ef8d4a

SHA512
7ff35d0d3848d850bacfafa093e264559b42a41b8c83554cc28041bd21ada8669944a42f0a63c7777768d73ad875f958f2413322099d9f2eb31f278124bd7c7f

Download Submit
memory/1860-33-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-67-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-5-0x00007FFB93550000-0x00007FFB93560000-memory.dmp

Filesize
64KB

Download
memory/1860-4-0x00007FFB93550000-0x00007FFB93560000-memory.dmp

Filesize
64KB

Download
memory/1860-6-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-9-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-8-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-7-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-3-0x00007FFB93550000-0x00007FFB93560000-memory.dmp

Filesize
64KB

Download
memory/1860-10-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-11-0x00007FFB91330000-0x00007FFB91340000-memory.dmp

Filesize
64KB

Download
memory/1860-12-0x00007FFB91330000-0x00007FFB91340000-memory.dmp

Filesize
64KB

Download
memory/1860-13-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-15-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-21-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-20-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-19-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-18-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-17-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-16-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-14-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-25-0x000001CE0E680000-0x000001CE0E7B9000-memory.dmp

Filesize
1.2MB

Download
memory/1860-28-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-29-0x000001CE0E9E0000-0x000001CE0E9FC000-memory.dmp

Filesize
112KB

Download
memory/1860-34-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-2-0x00007FFB93550000-0x00007FFB93560000-memory.dmp

Filesize
64KB

Download
memory/1860-36-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-35-0x000001CE0F590000-0x000001CE0F5C6000-memory.dmp

Filesize
216KB

Download
memory/1860-1-0x00007FFBD356D000-0x00007FFBD356E000-memory.dmp

Filesize
4KB

Download
memory/1860-38-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-39-0x000001CE29BC0000-0x000001CE29DDA000-memory.dmp

Filesize
2.1MB

Download
memory/1860-61-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-63-0x00007FFBD356D000-0x00007FFBD356E000-memory.dmp

Filesize
4KB

Download
memory/1860-64-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-37-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-0-0x00007FFB93550000-0x00007FFB93560000-memory.dmp

Filesize
64KB

Download
memory/1860-66-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/1860-65-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/2192-83-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3584-98-0x0000000008A20000-0x0000000008B4D000-memory.dmp

Filesize
1.2MB

Download
memory/3812-80-0x0000000009390000-0x00000000093F6000-memory.dmp

Filesize
408KB

Download
memory/3812-81-0x0000000009320000-0x0000000009354000-memory.dmp

Filesize
208KB

Download
memory/3812-71-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/3812-53-0x00007FFBD34D0000-0x00007FFBD36C5000-memory.dmp

Filesize
2.0MB

Download
memory/3812-58-0x0000000007D30000-0x00000000082D4000-memory.dmp

Filesize
5.6MB

Download
memory/3812-59-0x0000000007820000-0x00000000078B2000-memory.dmp

Filesize
584KB

Download
memory/3812-62-0x0000000007CE0000-0x0000000007CF4000-memory.dmp

Filesize
80KB

Download
memory/3812-79-0x0000000009080000-0x000000000911C000-memory.dmp

Filesize
624KB

Download
memory/3812-60-0x0000000002BE0000-0x0000000002BEA000-memory.dmp

Filesize
40KB

Download
memory/3812-57-0x0000000000990000-0x0000000000A5E000-memory.dmp

Filesize
824KB

Download
memory/3812-77-0x0000000007D10000-0x0000000007D1C000-memory.dmp

Filesize
48KB

Download
memory/3812-78-0x0000000008F50000-0x0000000008FDE000-memory.dmp

Filesize
568KB

Download
memory/4364-91-0x0000000000360000-0x000000000049A000-memory.dmp

Filesize
1.2MB

Download
memory/4364-92-0x0000000000850000-0x000000000087D000-memory.dmp

Filesize
180KB

Download
memory/4364-88-0x0000000000360000-0x000000000049A000-memory.dmp

Filesize
1.2MB

Download